False Posative MS04-028

Hi there.

I'm running Vista Ultimate x64 with ESET 3.0.672.0 virus signature 3597.

I also have MS Office Pro 2007. I have all of the latest critical updates from Microsoft for Office and Vista.

There is one directory that contains pictures that came off of my digital camera that generates these false alarms quite predictably (any time I import new pictures).

Here is an excerpt from my ESET log (note that I have replaced the real username for security purposes):

11/9/2008 8:21:21 AM Real-time file system protection file C:\Users\<username>\Pictures\2007-09-30 Pigeon Forge Sept 2007\~igeon Forge Sept 2007 033.tmp Win32/Exploit.MS04-028 trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Program Files (x86)\Windows Live\Mail\wlmail.exe.
11/9/2008 8:21:20 AM Real-time file system protection file C:\Users\<username>\Pictures\2007-09-30 Pigeon Forge Sept 2007\~igeon Forge Sept 2007 032.tmp Win32/Exploit.MS04-028 trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe.
11/9/2008 8:21:20 AM Real-time file system protection file C:\Users\<username>\Pictures\2007-09-30 Pigeon Forge Sept 2007\~igeon Forge Sept 2007 031.tmp Win32/Exploit.MS04-028 trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe.
11/9/2008 8:21:20 AM Real-time file system protection file C:\Users\<username>\Pictures\2007-09-30 Pigeon Forge Sept 2007\~igeon Forge Sept 2007 030.tmp Win32/Exploit.MS04-028 trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Program Files (x86)\Windows Media Player\wmplayer.exe.

 

Hello mig1,

Please submit a sample to our virus lab. To do so, follow the information below:

1. Compress the file(s) into a .zip or .rar archive, and password protect it with the password “infected”.

2. Make a note of this password in the email, attach the zipped file, and email it to samples@eset.com.

3. Use a subject line which clearly states if the attached file contains a suspected infection or a false positive. Also, please include the Customer Care case number if applicable.

4. In the body of the email it is very important to include:

* Any background information as to where the sample was found
* Why you think it is malware or a false positive report.
* If you know that another antivirus company already detects it.
* If you are reporting a potential false positive, please provide as much information as possible about the source of the software, including the name of the developer, the name and version application and the address of the site from which the file was downloaded.

Taking the above steps will greatly assist our labs in the process of identifying and processing samples. If the issue is not resolved within two days and the matter is urgent, please send a follow-up email message with the following information:

* subject line of email that was sent to samples@eset.com
* date and time of email
* email address you sent it FROM and email address you sent it TO.

Thank you,

Richard